Skip to content

chore: recompile all agentic workflows#2217

Merged
lpcox merged 2 commits intomainfrom
chore/recompile-workflows-apr25
Apr 25, 2026
Merged

chore: recompile all agentic workflows#2217
lpcox merged 2 commits intomainfrom
chore/recompile-workflows-apr25

Conversation

@lpcox
Copy link
Copy Markdown
Collaborator

@lpcox lpcox commented Apr 25, 2026

Summary

Recompiles all 30 lock files with the gh-aw v0.71.1 compiler to pick up changes from recently merged workflow .md updates.

Changes

No source code changes

Only compiled workflow output (.lock.yml) and action lock metadata.

@lpcox
chore: recompile all agentic workflows
0ada86e 
Recompile all 30 lock files with gh-aw v0.71.1 compiler to pick up
changes from recently merged workflow .md updates. Key changes:
- Remove sha256 digest pins from container image references
- smoke-services.lock.yml updates from #2214

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 25, 2026 22:17
@lpcox lpcox requested a review from Mossaka as a code owner April 25, 2026 22:17
@lpcox
chore: upgrade mcpg from v0.2.29 to v0.3.0 in remaining workflows
aa23bea 
Update sandbox.mcp.version from v0.2.29 to v0.3.0 in:
- smoke-claude.md
- smoke-codex.md
- smoke-copilot.md

All 30 workflows now use mcpg v0.3.0.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

This comment has been minimized.

Sign in to view
Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Recompiles the repository’s agentic workflow lock files using the gh-aw v0.71.1 compiler so the committed .lock.yml outputs reflect recent .md workflow changes and updated pinned action metadata.

Changes:

  • Recompiled ~30 agentic workflow .lock.yml files to match current .md sources.
  • Updated MCP gateway / GitHub MCP server container references in compiled output (notably dropping inline @sha256:... in several places).
  • Refreshed .github/aw/actions-lock.json with the latest action pins used by the compiler/templates.
Show a summary per file
File Description
.github/workflows/update-release-notes.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/test-coverage-improver.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/smoke-services.lock.yml Recompiled lock output; incorporates smoke-services workflow updates (but includes a host-access regression).
.github/workflows/smoke-opencode.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/smoke-gemini.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/smoke-copilot.lock.yml Recompiled lock output; MCP server container reference updated.
.github/workflows/smoke-copilot-byok.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/smoke-chroot.lock.yml Recompiled lock output; MCP/CLI proxy image references updated.
.github/workflows/security-review.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/security-guard.lock.yml Recompiled lock output; MCP/CLI proxy image references updated.
.github/workflows/secret-digger-copilot.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/secret-digger-codex.lock.yml Recompiled lock output; mcpg image pinning behavior changed in at least one job.
.github/workflows/secret-digger-claude.lock.yml Recompiled lock output; MCP gateway image reference updated.
.github/workflows/plan.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/pelis-agent-factory-advisor.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/issue-monster.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/issue-duplication-detector.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/firewall-issue-dispatcher.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/doc-maintainer.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/dependency-security-monitor.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/copilot-token-usage-analyzer.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/copilot-token-optimizer.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/cli-flag-consistency-checker.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/claude-token-usage-analyzer.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/claude-token-optimizer.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/ci-doctor.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/ci-cd-gaps-assessment.lock.yml Recompiled lock output; MCP-related image references updated.
.github/workflows/build-test.lock.yml Recompiled lock output; MCP-related image references updated.
.github/aw/actions-lock.json Updated action pin metadata used for workflow compilation.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 34/34 changed files
  • Comments generated: 2

Comment thread .github/workflows/smoke-services.lock.yml
Comment on lines +748 to 749
sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --session-state-dir /tmp/gh-aw/sandbox/agent/session-state --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.28,squid=sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474,agent=sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a,api-proxy=sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb,cli-proxy=sha256:fdf310e4678ce58d248c466b89399e9680a3003038fd19322c388559016aaac7 --skip-pull --enable-api-proxy \
-- /bin/bash -c 'GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
Copy link

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

smoke-services.md describes this workflow as validating --allow-host-service-ports for Redis/Postgres, but the compiled lock is now running awf with --enable-host-access --allow-host-ports 80,443,8080 instead. That both weakens the intended restriction (opens common web ports instead of just 6379/5432) and means the smoke test is no longer exercising the flag it claims to validate. Recompile/fix the lock output so the awf invocation uses --allow-host-service-ports 6379,5432 (and does not enable broad host access).

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/secret-digger-codex.lock.yml
sudo chmod +x /usr/local/bin/awf
- name: Download container images
run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474 ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d
run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474 ghcr.io/github/gh-aw-mcpg:v0.3.0
Copy link

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This job now downloads ghcr.io/github/gh-aw-mcpg:v0.3.0 without an @sha256:... digest pin. That makes the workflow non-reproducible and weakens supply-chain guarantees compared to the other pulled images (and compared to other jobs in this same lock file that still pin mcpg by digest). Keep the mcpg image reference pinned by digest here as well (and ensure any subsequent docker run of mcpg uses the same pinned image).

Suggested change
run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474 ghcr.io/github/gh-aw-mcpg:v0.3.0
run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474 ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d

Copilot uses AI. Check for mistakes.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 25, 2026

Smoke Test Results:

  • ✅ GitHub MCP: Retrieved 2 merged PRs
  • ✅ Playwright: Page title contains "GitHub"
  • ✅ File I/O: Test file created and verified
  • ✅ Bash: File read back successfully

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 25, 2026

Smoke Test: Copilot BYOK (Offline) Mode

Test Result
GitHub MCP connectivity
GitHub.com HTTP ⚠️ pre-step data unavailable (template not resolved)
File write/read ⚠️ pre-step data unavailable (template not resolved)
BYOK inference (api-proxy → api.githubcopilot.com)

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com ✅

Overall: PASS (core BYOK path confirmed; pre-step template variables were not expanded)

PR by @lpcox · reviewers: @Mossaka, @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 25, 2026

🔬 Smoke Test Results

Test Result
GitHub MCP connectivity ✅ (listed PRs successfully)
GitHub.com HTTP ❌ (smoke-data step outputs not resolved)
File write/read ❌ (smoke-data step outputs not resolved)

Overall: FAILsmoke-data pre-step did not produce outputs; template variables unresolved.

PR: chore: recompile all agentic workflows by @lpcox

📰 BREAKING: Report filed by Smoke Copilot

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 25, 2026

Smoke test:
PRs reviewed: feat: optimize Smoke Services workflow for token efficiency; chore: upgrade agentic workflows from v0.69.3 to v0.71.1
GitHub MCP / safeinputs-gh query: ❌ required tool unavailable in session
Playwright GitHub title check: ✅
Tavily web search: ❌ Tavily tool unavailable in session
Temp file write + bash cat verify: ✅
AWF build (npm ci && npm run build): ✅
Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 25, 2026

Smoke Test: Services Connectivity — ❌ FAIL

Check Result
Redis PING ❌ Timeout/no response
PostgreSQL pg_isready ❌ No response
PostgreSQL SELECT 1 ❌ Not reached

host.docker.internal is not reachable from this runner environment. Services containers are unavailable.

🔌 Service connectivity validated by Smoke Services

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 25, 2026

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2217 · ● 573.4K ·

@lpcox lpcox merged commit b6b306f into main Apr 25, 2026
61 of 65 checks passed
@lpcox lpcox deleted the chore/recompile-workflows-apr25 branch April 25, 2026 22:27
@github-actions github-actions Bot mentioned this pull request Apr 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka is a code owner

Assignees

No one assigned

Labels

build-test smoke-claude smoke-copilot-byok

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox